diff --git a/.github/workflows/release-python-runtime.yml b/.github/workflows/release-python-runtime.yml
new file mode 100644
index 00000000000..59e3724797d
--- /dev/null
+++ b/.github/workflows/release-python-runtime.yml
@@ -0,0 +1,74 @@
+name: Build Python Runtime
+
+permissions:
+    id-token: write # This is required for requesting the JWT
+    contents: read  # This is required for actions/checkout
+
+on:
+    workflow_dispatch:
+        inputs:
+            tag:
+                description: The release tag/version string
+            dry-run:
+                description: Actually upload or just test build step?
+                default: false
+                type: boolean
+jobs:
+  version:
+    outputs:
+      version: ${{ steps.echo.outputs.version }}
+    # version job uses ubuntu 24.04, this way we don't have to install the updated clang while
+    # the build job uses 20.04 for libc compatibility.
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+      - id: echo
+        run: |
+          echo "::set-output name=version::1.$(cat src/workerd/io/supported-compatibility-date.txt | tr -d '-').0"
+
+  build:
+    runs-on: ubuntu-20.04
+    name: build Python runtime
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          show-progress: false
+      - name: Setup Linux
+        if: runner.os == 'Linux'
+        run: |
+          export DEBIAN_FRONTEND=noninteractive
+          wget https://apt.llvm.org/llvm.sh
+          sed -i '/apt-get install/d' llvm.sh
+          chmod +x llvm.sh
+          sudo ./llvm.sh 15
+          sudo apt-get install -y --no-install-recommends clang-15 lld-15 libunwind-15 libc++abi1-15 libc++1-15 libc++-15-dev
+          echo "build:linux --action_env=CC=/usr/lib/llvm-15/bin/clang --action_env=CXX=/usr/lib/llvm-15/bin/clang++" >> .bazelrc
+          echo "build:linux --host_action_env=CC=/usr/lib/llvm-15/bin/clang --host_action_env=CXX=/usr/lib/llvm-15/bin/clang++" >> .bazelrc
+      - name: Configure download mirrors
+        shell: bash
+        run: |
+          if [ ! -z "${{ secrets.WORKERS_MIRROR_URL }}" ] ; then
+            # Strip comment in front of WORKERS_MIRROR_URL, then substitute secret to use it.
+            sed -e '/WORKERS_MIRROR_URL/ { s@# *@@; s@WORKERS_MIRROR_URL@${{ secrets.WORKERS_MIRROR_URL }}@; }' -i.bak WORKSPACE
+          fi
+      - name: Bazel build
+        # Strip debug info here – we don't generate debug info but some is pulled in from external
+        # static libraries, for example the Rust STL. This is equivalent to the -Wl,-S linker
+        # option, symbols will not be removed.
+        run: |
+          bazelisk build --config=release_linux //src/pyodide:pyodide.capnp.bin@rule
+          cp bazel-bin/src/pyodide/pyodide.capnp.bin pyodide-${{ inputs.tag }}.capnp.bin
+
+      - id: "GCS-auth"
+        if: ${{ !inputs.dry-run }}
+        uses: 'google-github-actions/auth@v2'
+        with:
+            service_account: 'python-packages-writer@edgeworkers.iam.gserviceaccount.com'
+            workload_identity_provider: "projects/672150504942/locations/global/workloadIdentityPools/github-workerd/providers/github-workerd"
+      - id: 'upload-file'
+        if: ${{ !inputs.dry-run }}
+        uses: 'google-github-actions/upload-cloud-storage@v2'
+        with:
+            path: 'pyodide-${{ inputs.tag }}.capnp.bin'
+            destination: 'cloudflare-edgeworker-python-packages/python-runtime-capnp-bin'
+            parent: false